3 matches found
CVE-2026-58404
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
CVE-2026-58404 Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...